How to fix CVE-2025-14866?

Within 24 hours: Identify all WordPress installations using Melapress Role Editor versions up to 1.1.1 and document their business criticality. Within 7 days: Implement compensating controls (disable plugin if non-critical, restrict admin access via WAF/network controls, or isolate affected systems). Within 30 days: Monitor for vendor patch release and establish upgrade plan; evaluate alternative role management solutions if patch remains unavailable.

Is PHP affected by CVE-2025-14866?

Melapress Role Editor, a WordPress plugin used for user permission management, contains a critical authorization flaw (CVE-2025-14866) that could allow attackers to bypass access controls and escalate privileges.

CVE-2025-14866

HIGH

2026-01-23 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 23, 2026 - 13:15 nvd

HIGH 8.8

Description

The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the 'save_secondary_roles_field' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to assign themselves additional roles including Administrator.

Analysis

Melapress Role Editor (WordPress plugin) versions up to 1.1.1. is affected by incorrect authorization (CVSS 8.8).

Technical Context

This vulnerability (CWE-863: Incorrect Authorization) affects Melapress Role Editor (WordPress plugin). The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the 'save_secondary_roles_field' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to assign themselves additional roles including Administrator.

Affected Products

Vendor: WordPress. Product: Melapress Role Editor (WordPress plugin). Versions: up to 1.1.1..

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2025-14866 vulnerability details – vuln.today

Back

CVE-2025-14866

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-14866

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code